BSD Commit Log Search

   Updated net/unbound, net/rsync

   rsync: updated to 3.4.3

   rsync 3.4.3 (20 May 2026)

   Changes in this version:

   SECURITY FIXES:

   Six CVEs are fixed in this release.  All six are assigned by
   VulnCheck as CNA.  Affected versions are 3.4.2 and earlier in every
   case.  Three of the six (CVE-2026-29518, CVE-2026-43617,
   CVE-2026-43619) require non-default daemon configuration to reach:
   the first and third need `use chroot = no` for a module, the second
   needs `daemon chroot = ...` set in rsyncd.conf.  Two (CVE-2026-43618,
   CVE-2026-43620) are reachable from a normal pull or a normal
   authenticated daemon connection.  The sixth (CVE-2026-45232) is
   reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM)
   returns a pathological response.  Many thanks to the external
   researchers who reported these issues.

    [128 lines not shown]

   doc: Updated devel/R-Rcpp to 1.1.1.1.1

   (devel/R-Rcpp) Updated 1.0.14 to 1.1.1.1.1

   (pkgsrc)
          - Three patches dropped
          - Added  patch for src/Makevars (by looking at devel/R-fs)
         to take care the issue of not finding the function backtrace_symbol
            (Atsushi Toyokura helped me a lot on this modification)
          - Tested only on NetBSD (9.4), Linux and SunOS are not tested, sorry

   (upstream)
   Changes in Rcpp non-release version 1.1.1-1.1 (2026-04-19):

           * Please see pr #1466 addressing #1465 for context (plus change
             from #1460, and R_getRegisteredNamespace from #1469)

           * This is an unplanned, unscheduled and uncalled for
             non-release made solely to unplug CRAN from late-breaking
             changes in R 4.6.0


    [165 lines not shown]

   unbound: updated to 1.25.1

   1.25.1

   Bug Fixes
   Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report.
   Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report.
   Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report.
   Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
   Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

   KDE Frameworks update

llvm: updated to 22.1.6

   axen(4): brush up

   Align .Cd introduced in previous with the others.

   Don't abuse -tag for -item.  Mark up ifconfig media types.

   Drop confusing parens around the sentence that says autoselect is the
   default.  The next sentence is the logical continuation of that
   thought, and yet it was outside the parens, torn away from the
   sentence it expands upon.

   Avoid most 30-40 character runs of alphabet soup.  A slash and an 'A'
   is an especially nasty combination.  Fortunately, commas are a thing.
   Give remaining slashes a bit of kerning.

   KDE Frameworks - update to 6.26.0

   8 months worth of updates

   octeon: Add second errata syncw in membar_release

   The second syncw is relevant to CN5xxx/Octeon+ for us (ERLite), we don't
   currently support CN3xxx but attempt to clarify the commentary around all
   this.

   There is a seemingly similar detail on cnMIPS, the SYNC_PLUNGER, which is not
   dealt with or changed here.  This syncw is specifically to work around two
   related errata in CN3xxx and CN5xxx.

   The OCTEON2 path is a future breadcrumb, we don't build it yet.

   Reviewed by: skrll@

   nn: regen distinfo

   doc/TODO: + powerdns-5.0.5, rsync-3.4.3, unbound-1.25.1.

   KASSERT -> KASSERTMSG

   Updated textproc/utf8-cpp, misc/py-trove-classifiers

   py-trove-classifiers: updated to 2026.5.20.19

   2026.5.20.19
   Add classifier for Django 6.1

   utf8-cpp: updated to 4.1.1

   4.1.1
   Fix for 141, introduced in 4.1.0

   s/SET_FEATYRE/SET_FEATURES/ in comment.

   lang/ruby40: remove a unused patch file

   doc: update for tickets 7119-7124

   Pullup ticket #7123 - requested by taca
   net/bind918: Security fix

   Revisions pulled up:
   - net/bind918/Makefile                                          1.68
   - net/bind918/distinfo                                          1.40

   ---
      Module Name:      pkgsrc
      Committed By:     taca
      Date:             Wed May 20 13:07:16 UTC 2026

      Modified Files:
        pkgsrc/net/bind918: Makefile distinfo

      Log Message:
      net/bind918: update to 9.18.49

      BIND 9.18.49 (2026-05-20)

    [88 lines not shown]

   Pullup ticket #7124 - requested by taca
   lang/ruby40: Security fix

   Revisions pulled up:
   - lang/ruby/rubyversion.mk                                      1.323-1.324
   - lang/ruby40/Makefile                                          1.3
   - lang/ruby40/PLIST                                             1.3
   - lang/ruby40/distinfo                                          1.6-1.9
   - lang/ruby40/patches/patch-.bundle_gems_rdoc-7.0.3_lib_rdoc_generator_template_aliki___header.rhtml deleted
   - lang/ruby40/patches/patch-.bundle_gems_rdoc-7.0.3_lib_rdoc_parser_c.rb deleted
   - lang/ruby40/patches/patch-.bundle_gems_rdoc-7.0.4_lib_rdoc_encoding.rb 1.1
   - lang/ruby40/patches/patch-template_Makefile.in                1.3-1.4

   ---
      Module Name:      pkgsrc
      Committed By:     wiz
      Date:             Fri May 15 16:56:19 UTC 2026

      Modified Files:

    [96 lines not shown]

Changes to be committed:
        modified:   glsmac Makefile

Changes to be committed:
        new file:   Makefile #for glsmac only!

   Pullup ticket #7122 - requested by taca
   graphics/png: Security fix

   Revisions pulled up:
   - graphics/png/Makefile                                         1.224
   - graphics/png/distinfo                                         1.170
   - graphics/png/options.mk                                       1.5

   ---
      Module Name:      pkgsrc
      Committed By:     tnn
      Date:             Sun May 17 13:45:31 UTC 2026

      Modified Files:
        pkgsrc/graphics/png: distinfo options.mk

      Log Message:
      png: update apng patch


    [12 lines not shown]

   Pullup ticket #7121 - requested by nia
   www/palemoon: Build fix

   Revisions pulled up:
   - www/palemoon/distinfo                                         1.43
   - www/palemoon/patches/patch-platform_media_libvpx_config_linux_arm64_vpx__config.h 1.3

   ---
      Module Name:      pkgsrc
      Committed By:     nia
      Date:             Tue May 19 07:31:59 UTC 2026

      Modified Files:
        pkgsrc/www/palemoon: distinfo
      Added Files:
        pkgsrc/www/palemoon/patches:
            patch-platform_media_libvpx_config_linux_arm64_vpx__config.h

      Log Message:

    [3 lines not shown]

Reverting webkit-gtk Makefile to state prior to my mixup!

   Pullup ticket #7120 - requested by taca
   net/rsync: Security fix

   Revisions pulled up:
   - net/rsync/Makefile                                            1.132
   - net/rsync/distinfo                                            1.65
   - net/rsync/patches/patch-sender.c                              deleted

   ---
      Module Name:      pkgsrc
      Committed By:     adam
      Date:             Mon May 11 06:21:51 UTC 2026

      Modified Files:
        pkgsrc/net/rsync: Makefile distinfo
      Removed Files:
        pkgsrc/net/rsync/patches: patch-sender.c

      Log Message:

    [79 lines not shown]

   Pullup ticket #7119 - requested by morr
   editors/vim-share: Security fix

   Revisions pulled up:
   - editors/vim-share/PLIST                                       1.89
   - editors/vim-share/distinfo                                    1.234-1.235
   - editors/vim-share/version.mk                                  1.170-1.171

   ---
      Module Name:    pkgsrc
      Committed By:   morr
      Date:           Sun May 17 17:23:38 UTC 2026

      Modified Files:
              pkgsrc/editors/vim-share: PLIST distinfo version.mk

      Log Message:
      Update to version 9.2.0491.


    [77 lines not shown]

Revert "Changes to be committed:"

This reverts commit 6aacc2c531052437f67f7a2b66aaec73b8728c30.

Horrible error, seems to have replaced wip/webkit-gtk/Makefile with glsmac/Makefile, which was NOT intended at all! Sorry!!

Changes to be committed:
        new file:   Makefile